Efficient Circuit-Size Independent Public Key Encryption with KDM Security

  • Tal Malkin
  • Isamu Teranishi
  • Moti Yung
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6632)


Key Dependent Message (KDM) secure encryption is a new area which has attracted much research in recent years. Roughly speaking, a KDM secure scheme w.r.t. a function set \(\mathcal{F}\) provides security even if one encrypts a key dependent message f(sk) for any \(f\in\mathcal{F}\). We present a construction of an efficient public key encryption scheme which is KDM secure with respect to a large function set \(\mathcal{F}\). Our function set is a function computable by a polynomial-size Modular Arithmetic Circuit (MAC); we represent the set as Straight Line Programs computing multi-variable polynomials (an extended scheme includes all rational functions whose denominator and numerator are functions as above). Unlike previous schemes, our scheme is what we call flexible: the size of the ciphertext depends on the degree bound for the polynomials, and beyond this all parameters of the scheme are completely independent of the size of the function or the number of secret keys (users). We note that although KDM security has practical applications, all previous works in the standard model are either inefficient feasibility results when dealing with general circuits function sets, or are for a small set of functions such as linear functions. Efficiency of our scheme is dramatically improved compared to the previous feasibility results.


Random Oracle Security Parameter Security Proof Homomorphic Encryption Message Space 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [AR00]
    Abadi, M., Rogaway, P.: Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption). In: Watanabe, O., Hagiya, M., Ito, T., van Leeuwen, J., Mosses, P.D. (eds.) TCS 2000. LNCS, vol. 1872, pp. 3–22. Springer, Heidelberg (2000); J. Cryptology 15(2), 103–127 (2002), J. Cryptology 20(3), 395 (2007)Google Scholar
  2. [ABBC10]
    Acar, T., Belenkiy, M., Bellare, M., Cash, D.: Cryptographic Agility and Its Relation to Circular Encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 403–422. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. [ABHS05]
    Adão, P., Bana, G., Herzog, J., Scedrov, A.: Soundness of Formal Encryption in the Presence of Key-Cycles. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 374–396. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. [A11]
    Applebaum, B.: Key-Dependent Message Security: Generic Amplification and Completeness Theorems. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 506–525. Springer, Heidelberg (2011)Google Scholar
  5. [ACPS09]
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems. In: C 2009, pp. 595–618 (2009)Google Scholar
  6. [BDU08]
    Backes, M., Dürmuth, M., Unruh, D.: OAEP Is Secure under Key-Dependent Messages. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 506–523. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. [BPS08]
    Backes, M., Pfitzmann, B., Scedrov, A.: Key-dependent message security under active attacks - BRSIM/UC-soundness of Dolev-Yao-style encryption with key cycles. In: CSF 2007, pp. 112–124 (2008); Journal of Computer Security 16(5), 497–530 (2008) Google Scholar
  8. [BHHI10]
    Barak, B., Haitner, I., Hofheinz, D., Ishai, Y.: Bounded Key-Dependent Message Security. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 423–444. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  9. [BRS02]
    Black, J., Rogaway, P., Shrimpton, T.: Encryption-Scheme Security in the Presence of Key-Dependent Messages. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 62–75. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. [BG10]
    Brakerski, Z., Goldwasser, S.: Circular and Leakage Resilient Public-Key Encryption Under Subgroup Indistinguishability (or: Quadratic Residuosity Strikes Back). In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 1–20. Springer, Heidelberg (2010), Full paper is available at eprint 2010/226 Google Scholar
  11. [BGK09]
    Brakerski, Z., Goldwasser, S., Kalai, Y.: Circular-Secure Encryption Beyond Affine Functions. e-print. 2009/511Google Scholar
  12. [BHHO08]
    Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circular-Secure Encryption from Decision Diffie-Hellman. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 108–125. Springer, Heidelberg (2008)Google Scholar
  13. [BV98]
    Boneh, D., Venkatesan, R.: Breaking RSA May Not Be Equivalent to Factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 59–71. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  14. [CCS09]
    Camenisch, J., Chandran, N., Shoup, V.: A Public Key Encryption Scheme Secure against Key Dependent Chosen Plaintext and Adaptive Chosen Ciphertext Attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 351–368. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. [CL01]
    Camenisch, J., Lysyanskaya, A.: An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. [CKVW10]
    Canetti, R., Tauman Kalai, Y., Varia, M., Wichs, D.: On Symmetric Encryption and Point Obfuscation. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 52–71. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  17. [DJ01]
    Damgård, I., Jurik, M.: A Generalization, a Simplification and Some Applications of Paillier’s Probabilistic Public-Key System. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992, pp. 119–136. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. [G09]
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC 2009, pp. 169–178 (2009)Google Scholar
  19. [GH10]
    Green, M., Hohenberger, S.: CPA and CCA-Secure Encryption Systems that are not 2-Circular Secure. e-print. 2010/144Google Scholar
  20. [HH09]
    Haitner, I., Holenstein, T.: On the (Im)Possibility of Key Dependent Encryption. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 202–219. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. [HK07]
    Halevi, S., Krawczyk, H.: Security under key-dependent inputs. In: ACM CCS 2007, pp. 466–475 (2007)Google Scholar
  22. [HU08]
    Hofheinz, D., Unruh, D.: Towards Key-Dependent Message Security in the Standard Model. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 108–126. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. [KTY09]
    Kiayias, A., Tsiounis, Y., Yung, M.: Group Encryption. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 181–199. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  24. [MTY11]
    Malkin, T., Teranishi, I., Yung, M.: Key Dependent Message Security: Recent Results and Applications. In: ACM CODASPY (2011)Google Scholar
  25. [P99]
    Paillier, P.: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)Google Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Tal Malkin
    • 1
  • Isamu Teranishi
    • 1
    • 2
  • Moti Yung
    • 1
    • 3
  1. 1.Columbia UniversityUSA
  2. 2.NECJapan
  3. 3.Google Inc.USA

Personalised recommendations